2 Sep
2019
2 Sep
'19
1:03 p.m.
On 2.9.2019 12.51, MK via dovecot wrote:
On 2 Sep 2019, at 11.01, MK via dovecot dovecot@dovecot.org wrote:
Good Morning List,
just a short question to this vulnerability. We are using a setup with dovecot redirector/proxy frontend servers and some backend server, which store the mailboxes. Is it anough to update the frontend servers if I like to fix the the vulnerability? No.
Sami Thanks. Do I understand this correct that updating the frontends fixes only the vulnerability for anonymous requests and for users logged in the vulnerability still exists if I don't update the backend servers?
Oliver
You are correct. After authentication proxies & directors will forward data as-is to backend, which leaves you vulnerable to post-auth vulnerability.
Aki